I have two open OpenLDAP servers. A test environment and a production environment.
The wildcard operator seems to be not working in the production environment, but it does work in the test environment. These are, as far as i know configured the same. I typically use python to interact with OpenLDAP.
If i run
ldap.search_ext_s(base='ou=my_branch,o=my_organization', scope=ldap.SCOPE_SUBTREE, filterstr='uid=foobar')
it will find the data with the attr uid whose value is foobar.
Yet if i specify the filter as uid=*foobar* then it only works on the development server.
On both servers the output of the command /usr/sbin/slapcat -n 0 | grep olcDbIndex outputs the same thing. For the uid attribute it is olcDbIndex: uid pres,eq,sub. I'm not certain that it is related but that is the last change that has been made as far as I know.
So I'm wondering what options/configurations/schemas I can compare between the two servers to try and figure out why it works as expected on the development server but not on the production server?
Edit: I'm really at a loss here so any information on how I might introspect into this issue could be helpful.
The directory schema defines matching rules for each attribute: both an 'exact' match and a 'substring' match have to be defined separately in OpenLDAP.
For example, if the attribute is defined as having EQUALITY caseIgnoreMatch, then it also needs SUBSTR caseIgnoreSubstringsMatch for wildcard searches to work.
(Similarly, operators like >= would require an ORDERING rule to be defined.)
Having a sub index is relevant, though not mandatory; an unindexed search would just be slower. However, there can be situations where the index exists but is incomplete – you may need to do a full reindex using slapindex.